WOOO/35227 PCT/EP98/08064 

a MRTHOD FOR A SECURE DETAC H PROCEDURE 
TN A RADTO TEIiECOMMUNIC ftTTON NETWORK 

5 FTELD OF THE INVENTION 

The present invention relates to a method for performing a 
secure detach procedure in a radio telecommunication 
network, in particular in a so-called third generation 
10 network. Moreover, the present invention relates to a 
corresponding registration procedure for registering a 
subscriber to such a telecommunication network. Also, the 
% present invention relates to corresponding devices of 

Sf! subscriber terminals and network controlling devices which 

15 are adapted to carry out these methods, and to a 
correspondingly adapted telecommunication network. 

RACKGROUNn OF TH E INVENTION 

EH 20 In hitherto known telecommunication networks, a subscriber 

2 terminal as a first type radio transceiver device 

C3 (hereinafter: mobile station MS), in order to be operated 

within a network, needs to be registered to the network NW, 
i.e. to a network controlling device lik* for example a 
25 mobile services switching center MSG (or an SGSN), which 
controls so called base station controllers BSC, which in 
turn control base stations BS as second type radio 
transceiver devices. 

30 To this end, each subscriber has a subscriber identity 

module SIM to be inserted into the used mobile station MS 
as a respective terminal equipment. The SIM contains a pre- 
stored international mobile subscriber identity number 
IMSI, by which a user can be identified. However, in order 

35 to protect the user against being identified by an intruder 
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in the network, each user is assigned a temporary mobile 
subscriber identity TMSI . This^ identification which changes 
either from time to time or from area to area (when 
combined with a location area identifier LAI) allows an 
5 "anonymous" identification of the user when using his 
terminal. 

For details of the roughly described registration procedure 
including ciphering of transmitted data for authentication 
10 at registration, which details are considered to be not 

necessarily to be described here, the reader is referred to 
the plurality of respective publicly available GSM 
specifications . 

15 Likewise, an attached or registered subscriber or mobile 
station, respectively, will have to perform a detach from 
the network under specific conditions • For example, the 
mobile station will be detached from the network and its 
registration will be abandoned, in case the SIM module is 

20 detached from the terminal equipment or the like. 

In such cases, the mobile station MS sends a detach message 
to the network NW, the so-called IMSI DETACH INDICATION 
message. Upon receipt of the IMSI DETACH INDICATION the 

25 network controlling device (MSC) sets an inactive 

indication for the mobile station MS, while no response is 
returned to the mobile station itself. (For details, also 
in this context it is referred to the respective GSM 
specifications). Namely, no authentication is conducted at 

30 detach, when the mobile station initiating the detach 
procedure leaves the network. 

Thus, there exists a possibility that a malicious user may 
obstruct or even terminate a third party's call by sending 
35 detach messages with random identities of mobile stations 
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(i,e- random numbers of TMSI identifiers). Stated in other 
words, although it is not possible to interrupt the 
connection to a specific mobile station MS of a certain 
specified user by. sending such a detach message, a lot of 
damage and irritation can be caused to a great number of 
users as well as to the operator of the network NW, when 
arbitrary calls and/or radio connections are blocked and/or 
terminated by the intention of a malicious third party. 

A previously proposed approach to prevent this resides in 
performing an authentication procedure when a mobile 
station MS is to be detached from the network NW, i.e. upon 
receipt of a detach message at the network from the mobile 
station. 

However, such a proposed authentication at detach is rather 
time consuming in many situations and has therefore only a 
limited applicability. 

Moreover, performing an authentication procedure may not be 
feasible if the mobile station is performing power off, 
i.e. is switched off, or the available battery power is too 
low so that normal operation of the mobile station can not 
be assured any longer. * 

SUMMARY OF THE INVENTION 



Hence, it is an object of the present invention to provide 
a simple and useful method for performing a detach from 
30 and/or a corresponding method for registration to a 
network, which prevent the above described problems. 



According to the present invention, this object is achieved 
by a method for performing a detach of a terminal 
35 registered to a telecommunication network by 
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associating an identification for said terminal, deriving a 
signature for said identification, and allocating a pair 
consisting of said identification and said signature to 
said terminal, said method comprising the steps of: sending 
5 a detach request including said identification and said 
identification signature from said registered terminal to 
said network; receiving said detach request at the network 
side; comparing said received detach request with a record 
of registration data of said terminal kept at the network 
10 side; and detaching said terminal from said network, if 

said received detach request coincides with said record of 
registration data. 



According to the present invention, this object is 
15 furthermore achieved by a method for registration of a 
terminal to a telecommunication network, said method 
comprising the steps of: associating an identification for 
said terminal, deriving a signature for said 
identification, and allocating a pair consisting of said 
20 identification and said signature to said terminal. 

Favorable refinements of the present invention are as 
defined in the respective dependent claims. 

» 

25. Thus, the present invention provides the advantage that a 
simple and useful method is available for preventing a 
malicious user to interrupt third party's calls by sending 
detach messages with random identities of mobile stations. 

30 In particular, the proposed method enables an immediate 
authentication of the mobile station requesting a detach 
procedure upon receipt of the detach request message or the 
detach request, respectively. This authentication procedure 
is not time consuming and also applicable in case of a 

35 mobile station being switched off (entering the power off 
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State) or having a battery level which is too low for 
normal operation of the mobile station. Thus, even in such 
situations, the detach procedure may be carried out 
correctly. 

5 

Moreover, due to the fact that the detach request is 
composed of the identifier as well as the identifier 
signature, the proposed immediate authentication process is 
highly secure, because in practice it is impossible to find 
10 such a matching pair by just taking two arbitrary numbers. 

RRTEF DEi^rRIPTIO M OF THE DRAWINGS 

The present invention will be more readily understood with 
15 reference to the accompanying drawings, in which: 

Fig. 1 shows a flowchart of the registration procedure 
according to the present invention; 

20 Fig. 2 shows a flowchart of the detach procedure according 
to the present invention; and 

Fig. 3 shows a schematic representation of the data format 
used for the detach request or detach rec^est message, 
25 respectively, according to the present invention. 

■DETAILED DERfRTPTIOKI OF PREFERRED EMBODIMENTS 



30 



According to the present invention, when a mobile station 
MS as a first type radio transceiver station or, in 
general, a terminal is registered to a network NW like for 
example a so-called third generation radio 
telecommunication network, i.e. registered to the network 
controlling device MSG, it sends an attach/registration 
35 request (formed by one or more request messages), or 
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dependent on the specific situation, a location update' 
request to the network NW. A request as such (to be valid 
for being evaluated) may be composed of more than one 
transmitted messages. 

5 

The network NW, which for the present description is 
assumed to be represented by the network controlling device 
as for example an MSG, in turn associates an identification 
to the mobile station MS, Associating such an 
10 identification may be achieved in that the network NW 
allocates an identification to the terminal MS 

The identification may be represented by the temporary 
mobile subscriber identity TMSI. Alternatively, as the 

15 identification also the international mobile subscriber 
identity IMSI could be used. In general, any suitable 
identification may be used for identifying a respective 
mobile terminal MS, and the present invention is not 
restricted to the use of the TMSI or the IMSI as 

20 identifications . 

Additionally, the network NW allocates a signature (e.g. 
TMSI signature TMSi^^lGT^orres^oiTa'ili^ 

identification anH^erxved therefor on the^ basis of, for 
25 example, a coding algorithm like an algorithm known as the 
"Pretty Good Privacy" (PGP) algorithm, to the terminal, 
i.e. the mobile station MS. However, the deriving of the 
signature for and/or of the identification is not limited 
to the network side. Namely, alternatively, also the 
30 terminal MS may derive a signature for the identification 
by way of calculation. In this connection, information as 
to which algorithm for calculating the signature is to be 
chosen is in such a case exchanged between the network NW 
and the terminal MS. After having thus derived the 
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signature, the deriving side (i.e. NW or MS) informs the 
other side of the derived signature. 

Both data items, the identification TMSI as well as the 
identification signature TMSI_SIG are allocated to the 
mobile station MS in a secure mode, so that it is 
impossible for any other mobile station or any other third 
party to know the pair of these data items TMSI, TMSI_SIG. 
Of course, if in the above mentioned example case the 
terminal MS derives the signature, the derived signature is 
informed to the network NW in a secure mode, to be securely 
associated to the identification, so that it -is impossible 
for any other mobile station or any other third party to 
know the pair of these data items TMSI, TMSI_SIG. 

In particular, according to the present invention, the 
network NW or the network controlling device MSG, 
respectively, associates and/or allocates also a signature 
TMSI_SIG in combination with the identifier TMSI itself to 
the mobile station MS. Moreover, according to the present 
invention, the associated signature is used together with 
the identifier in a detach procedure, as described below. 

Namely, in case the mobile station MS leases the network NW 
and is to be detached therefrom due to, e.g., switching off 
the mobile station MS or a low battery charging state at 
the mobile station's side or a removal and/or taking off a 
SIM card (subscriber identity module) as examples for a 
respective predetermined detach condition for the mobile 
station, a detach procedure according to the present 
invention is performed. In particular, in this detach 
procedure, the mobile station MS when requesting and/or 
initiating detach, sends a detach request to the network 
NW. The detach request contains the identification TMSI and 
the identification signature TMSI_SIG as a pair of data 
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items. The network compares the received two data items 
which identify the requesting mobile station with the 
previously allocated one's. If the comparison yields that . 
the received data items are identical to the previously 
5 allocated one's^ the detach is performed correctly at the 
network side. Because no other mobile station MS except the 
one to which the identifier signature and corresponding 
identifier were previously allocated to, knows the pair of 
data items, it is impossible for other mobile stations to 
10 perform a malicious detach procedure. 

The following description of the drawings will set out the 
operation of the present invention in greater detail. 

15 Fig. 1 shows a flowchart of the registration procedure. In 
step SO the registration procedure starts. In the 
subsequent step SI, it is checked at the mobile station MS 
side, whether a registration condition is present. Such a 
registration condition may for example be present when said 

20 mobile station newly attaches to a network NW and has 

initially to be registered (authenticated) at the network 
NW side, or when said mobile station has moved within the 
network NW and a location update of said mobile station MS 
becomes necessary. Alternatively, also a f:ell update in 

25 case of the terminal having moved to an extent that the 
previous cell has been left and a new cell was entered 
represents such a registration condition. Also, in third 
generation networks an URA (UTRAN Registration Area, UTRAN 
standing for "Universal Terrestrial Radio Access Network") 

30 update is possible, thus representing a registration 

condition in the sense of the present invention. Such an 
URA update may be necessary in case of third generation 
networks, in which a radio network controller RNC handles 
the location information in terms of registration areas. 

35 
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Such updates become for example necessary when the mobile 
station has to be registered to another controlling device 
MSG within the network due to "excessive" moving within the 
network and/or in case of a request of the mobile station 
5 MS for a traffic channel assignment. 

If no registration condition is present in step SI, the 
procedure returns to step SI until a registration condition 
is present. Then, the process proceeds to step S2. 

10 

in step S2, the mobile station MS sends a registration 
request REG_REQ to the network NW, i.e. to th'e network 
controlling device, e.g. the MSG. The registration request 
REG_REQ is for example an attach request for initial 

15 registration of said mobile station MS as a first type 
radio transceiver device in said network, or a location 
update request for updating a previous registration of said 
mobile station MS in said network, or any other request 
which is transmitted when any of the above described 

20 further possible registration conditions is satisfied. 

In step S3, this registration request REG_REQ is received 
by the network controlling device. In response to receiving 
said request, the network controlling device selects or 
25 determines an identification like for example TMSI for the 
requesting mobile station MS. 

Moreover, in a subsequent step S4 of the described example, 
the network NW (network controlling device MSG) also 

30 derives an identification signature TMSI_SIG for said 
identification TMSI- (However, as mentioned above, the 
signature may also be derived by the mobile station MS 
itself upon receipt of a corresponding instruction from the 
network NW, and the signature will then have to be informed 

35 to the network NW (not represented in the figures).) 
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Both of these data items as parameters for identifying a 
specific mobile station MS^ neimely, the identification TMSI 
and the (separate) identification signature TMSI_SIG are 
allocated to the mobile station MS in a subsequent step S5. 
5 Of course, the network NW keeps a record of the thus 
assigned pair of data items* 

The data items TMSI and TMSI_SIG are allocated in a secure 
mode, so that a third party may not obtain a knowledge of 
10 the assigned data items • Then, in step S6 of the described 
example, they are transmitted from the network NW side to 
the mobile station MS side in order to inform the mobile 
station of the allocated identification TMSI and the 
identification signature TMSI__SIG, 

15 

Thereafter, in step S7, the registration procedure is 
completed . 

Fig, 2 illustrates a flowchart of the detach procedure when 
2 0 a mobile station MS as a terminal is to be detached from 
the network it has previously been registered to. 

The detach procedure starts in a step S8, In a subsequent 
step S9, at a respective mobile station MS side, it is 

25 checked whether a predetermined condition, i,e, a detach 
condition, of the mobile station MS is present. Such a 
detach condition may for example be met in case of a power 
off state of said mobile station MS, or in case a low 
battery charging state of the battery of the mobile station 

30 is detected. Alternatively, a user actuated command may 

fulfill the detach condition, for excunple, if another user 
wishes to use the mobile station MS as a terminal equipment 
and an SIM module (subscriber identity module) of the new 
user has to be inserted. This applies also in case of 

35 removal of the SIM module. 
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If no such detach condition as a predetermined condition is 
detected, the procedure loops until a corresponding 
condition is detected. If a detach condition is detected at 
the mobile station side, the mobile station MS sends a 
5 detach request DET^REQ to the network NW, i.e. to the 
network controlling device like an MSG, step SIO. 

The detach request DET_REQ contains said pair of said 
identification TMSI and said identification signature 
10 TMSI_SIG previously allocated to said mobile station MS 

upon registration of the mobile station to the network NW. 

In particular, the detach request DET_REQ, may for example, 
assume a data format as shown in Fig. 3 of the drawings. As 

15 roughly schematically illustrated therein, a burst 

transmitted from the mobile station MS to the network NW 
(controlling device) contains the detach request DET_REQ. 
The detach request contains the pair of the identification 
TMSI and the identification signature TMSI_SIG. Although 

20 the TMSI and TMSI_SIG are illustrated as being transmitted 
immediately one after the other in the burst, another burst 
format may be adopted in that there may be provided a guard 
period or dummy period (not shown) between the respective 
data items. Alternatively, each data item* could be 

25 identified by a respective flag (not shown) indicating 

which data item is transmitted next, and transmitted prior 
to th^ respective data item. Moreover, in the latter case, 
the order of the specific transmitted data items would not 
be restricted to a specific one, but could be changed in an 

30 arbitrary manner, as long as the data items could be 

identified at the reception side. Furthermore, the detach 
request could be transmitted in a form such that for 
example, the identification and the identification 
signature could be transmitted in consecutive bursts as 
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respective request messages which in combination result in 
the request as such. 

In step Sll^ the detach request DET_REQ is received at the 
5 network NW side* In a following step S12, the received 
detach request DET_REQ is compared, data item per data 
item, i.e. separately for the identification TMSI and the 
identification signature TMSI_SIG, with a record of 
registration data of said terminal kept at the network 
10 side. The record is the record of the previously assigned 
pair of data items TMSI, TMSI_SIG kept at the network NW 
side, as mentioned above in connection with step S5, upon 
registration of a respective mobile station MS to the 
network NW. 



Namely, at the network controller side a set of such 
records (e.g. in form of a table) of all allocated pairs of 
data items TMSI, TMSI_SIG for all respective mobile 
stations currently registered to the network is kept, and 
20 in step 512 a check is made as to whether the received pair 
of TMSI, TMSI_SIG is contained as a record in said set of 
records (table). 

If the pair of data items received with t^e detach request 
25 message DET_REQ is not contained in said record (NO in step 
S12), the procedure advances to step S13. In step S13, no 
detach operation is performed, and all registered mobile 
stations remain registered to the network. Also, an 
authentication procedure (registration) could then be 
30 started in this case in step S13. Therefore, a malicious 
user sending arbitrary identifications can not terminate 
any call or detach any other user, since he is not enabled 
to send a pair of matching data items of an identification 
TMSI and a corresponding identification signature TMSI SIG. 
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If, however, the comparison in step S12 yields that the 
received detach request DET_REQ contains a pair of data 
items TMSI/ TMSI_SIG which is contained in the table of 
records, i.e. has previously been allocated to a mobile 
station upon registration, (YES in step S12) then the flow 
proceeds to step S14. 

In step S14, a detach operation is performed, since it has 
been verified that the detach request DET^REQ originated 
from an authentic mobile station which was previously 
registered to the network. Thus, an immediate 
authentication procedure can be carried out by comparing 
the pair of received data item TMSI, TMSI_SIG with a record 
of previously allocated (assigned) data items. This assures 
that a detach operation is only performed for a mobile 
station MS as a respective terminal, if the request for 
detach originates from the mobile station MS itself. Hence, 
no malicious user can initiate a detach of arbitrary mobile 
stations since he can not know the pair of the 
identification TMSI and the corresponding signature 
TMSI_SIG. 

Moreover, the authentication at detach is immediately 
effected at the network side without involving a repeated 
handshaking procedure with the mobile station. Thus, the 
authentication procedure can also be successfully performed 
in case the mobile station has a too low battery charging 
level, has been switched off , or the like. 

The procedure has been described herein above mainly with 
reference to the temporary mobile subscriber identity TMSI 
being used as an identification and for deriving the 
signature therefor, since the TMSI is already defined in 
existing radio telecommunication systems and, therefore, 
can be advantageously be used in connection with the 




wo 00/35227 PCT/EP98/08064 

- 14 - 

present invention. Nevertheless, the present invention can 
also be carried out in case a new identification and 
corresponding signature thereof are defined, while this, 
however, would require additional changes to existing 
agreed standards . 



It should be understood that the above description and 
accompanying drawings are only intending to illustrate the 
present invention by way of example. Thus, the preferred 
embodiment of the invention may vary within the scope of 
the attached claims. 



